CVE-2026-3040

Medium CVSS: 5.1

A vulnerability was identified in DrayTek Vigor 300B up to 1.5.1.6. This affects the function cgiGetFile of the file /cgi-bin/mainfunction.cgi/uploadlangs of the component Web Management Interface. The manipulation of the argument File leads to os command injection. The attack may be initiated remotely. The exploit is publicly available and might be used. The vendor confirms that "300B is EoL, and this is an authenticated vulnerability. We don't plan to fix it." This vulnerability only affects products that are no longer supported by the maintainer.

Vendor

Draytek

Product

Vigor300b Firmware

CWE

CWE-77

Yayın Tarihi

2026-02-23 22:16:25

Güncelleme

2026-02-26 16:11:00

Source Identifier

cna@vuldb.com

KEV Date Added

Kategoriler

CWE-77 Vigor300b Firmware MEDIUM Draytek 2026

Referanslar

https://github.com/master-abc/cve/issues/42 https://vuldb.com/?ctiid.347394 https://vuldb.com/?id.347394 https://vuldb.com/?submit.757126

Benzer Kayıtlar

Critical

CVE-2024-51138

Vigor165/166 4.2.7 and earlier; Vigor2620/LTE200 3.9.8.9 and earlier; Vigor2860/2925 3.9.8 and earlier; Vigor2862/2926 3…

Critical

CVE-2024-51139

Buffer Overflow vulnerability in Vigor2620/LTE200 3.9.8.9 and earlier and Vigor2860/2925 3.9.8 and earlier and Vigor2862…

High

CVE-2024-41334

Draytek devices Vigor 165/166 prior to v4.2.6 , Vigor 2620/LTE200 prior to v3.9.8.8, Vigor 2860/2925 prior to v3.9.7, Vi…

High

CVE-2024-41338

A NULL pointer dereference in Draytek devices Vigor 165/166 prior to v4.2.6 , Vigor 2620/LTE200 prior to v3.9.8.8, Vigor…

High

CVE-2024-41339

An issue in the CGI endpoint used to upload configurations in Draytek devices Vigor 165/166 prior to v4.2.6 , Vigor 2620…

High

CVE-2024-41340

An issue in Draytek devices Vigor 165/166 prior to v4.2.6 , Vigor 2620/LTE200 prior to v3.9.8.8, Vigor 2860/2925 prior t…